Slides

Question 1

Insider threat

Answer 1

Someone who intentionally misused access to negatively effect network

Question 2

Insider threat methods

Answer 2

• Plant logic bombs
• Open backdoors
• Steal
• Attack internal resources

Question 3

Insider threat warning signs

Answer 3

• Greed
• Introvertversion (outside of normal behavior)
• Financial hardship
• Vulnerability of blackmail
• Reduced loyalty to the United States
• Destructive, narcissistic behavior

Question 4

Insider threat detection and prevention techniques

Answer 4

• Encryption
• Data loss prevention
• Data access monitoring
• Log analysis
• Data redaction
• Data access control

Question 5

Data/file encryption

Answer 5

Ensures integrity and confidentiality of data

Question 6

Data Loss Prevention

Answer 6

Protects data be providing information about how data is used

Question 7

Data Access Monitoring

Answer 7

Identifies who is accessing what

Question 8

Log Analysis

Answer 8

Can determine abnormal events

Question 9

Data Redaction

Answer 9

Removing sensitive data from media

Question 10

What are the types of access control?

Answer 10

• Discretionary access control
• Mandatory access control
• Role-based access control

Question 11

Discretional Access Control (DAC)

Answer 11

Only those specified by the owner

Question 12

Mandatory Access Control (MAC)

Answer 12

Decisions made by cental authority

Question 13

What type of access control is based on what a user does in an organization?

Answer 13

Role-based access control

Question 14

What is it called when a criminal encrypts data on a computer and demands money for access?

Answer 14

Ransomware

Question 15

What is one of the fastest growing malware threats?

Answer 15

Ransomware

Question 16

What are attacks delivered via WiFi, Ethernet, RF, Bluetooth?

Answer 16

Remote direct attacks

Question 17

What delivers attacks through a legitimate looking website, targets vulnerabilities in the browser and associated software and is an attack of opportunity?

Answer 17

Drive-by attack

Question 18

What is a focused drive-by attack called?

Answer 18

Watering hole

Question 19

What is malicious content embedded in a webpage?

Answer 19

IFrame Redirect

Question 20

What are web-based threats?

Answer 20

• Drive-by attacks
• Watering hole
• IFrame redirect
• Fake login pages
• Browser plug-in and script based exploits
• SQL injection
• SEO poisoning

Question 21

What is web based code executed locally to deliver enhanced content to users and uses mostly JavaScript and VBscript?

Answer 21

Browser plug-in and script based exploits

Question 22

What is called when attackers manipulate Search Engine Optimization to put their malicious sites high up in search engineer results, is often times legit website controlled by actor, and is very effective against enterprise networks/users?

Answer 22

SEO poisoning

Question 23

What is the act of entering false information into a DNS cache in order to redirect to a malicious website?

Answer 23

DNS cache poisoning

Question 24

What is called when an attacker uses legitimate credentials to move within the network with no need for plain text passwords and uses Windows Server Message Block (SMB) to login with password hash?

Answer 24

Pass-the-hash

Question 25

What can be a legitimate, existing remote access tool like sysinternals (PSExec) or powershell or illegitimate with legit use often going undetected?

Answer 25

Remote access tools/remote access trojan (RAT)

Question 26

What is it called when attackers exploit a recently fixed zero-day exploit on systems that have not been remediated?

Answer 26

N-day exploit

Question 27

China

Answer 27

• Noisiest threat actor
• Rapid economic expansion
• Ineffective mitigation strategies for target countries
• large population/large attack volume
• TTP “Smash and grab”
• Attacks lack sophistication and creativity

Question 28

North Korea

Answer 28

• Perceives cyber attacks as a means to “level the playing field”
• Commonly uses spear-phishing, watering hole, intel gathering, ransomware

Question 29

Russia

Answer 29

• Home to many advanced cyber attack security researchers
• TTPs include weaponized email attachments, varied attack patterns, exploits, data exfiltration methods, extremely effective detection evasion, Human Intelligence usage
• Low and slow, in it for the long run

Question 30

Syria

Answer 30

• Loyal to Syrian President Bashar al-Assad
• Attacks governments, online services, and media perceived as hostile to the Syrian government

Question 31

What is a group with the ability to be a threat and persist for a long period of time, highly skilled and organized, and many are sponsored?

Answer 31

Advanced Persistent Threats

Question 32

APT29

Answer 32

• Adaptive and disciplined threat group
• Hides activity on victim’s network, communicating infrequently and in a way that closely resembles legitimate traffic
• Monitors network defender activity to maintain control over systems
• Uses only compromised servers for C2 communication
• Counters attempts to remediate attacks
• Maintains fast malware development cycle, quickly altering tools to hinder detection
  ‐ Associated Malware (Hammertoss, Uploader, tDiscoverer)
  ‐ Targets (Western European governments, Foreign policy groups, Other organizations with valuable information for Russia)

Question 33

APT28

Answer 33

‐ Also known as Tsar Team (FireEye)
- Skilled team of developers and operators collecting intelligence on defense and geopolitical issues
- Likely receives ongoing financial support from Russian government
‐ Associated malware (Chopstick, Sourface)
Gain insider information related to governments, militaries and security organizations
‐ Targets (Georgia and eastern European countries and militaries, North Atlantic Treaty Organization (NATO))

Question 34

Hacker

Answer 34

• Deeper knowledge and understanding of computer technology
  ‐ Concerned with subtle details of operating systems, algorithms, and configuration files
  ‐ Elite few of well trained and highly ambitious people

Question 35

Patriot Hackers

Answer 35

• Main motives are to aid or support one’s own nation-state in an ongoing real-world conflict or war
  ‐ Chinese hackers have traditionally been especially inclined toward patriotic hacking

Question 36

Malware Authors

Answer 36

• Form of specialized black-hat hackers
• Develop original software for antagonistic or criminal purposes
• Usually highly skilled in computer programming and detection evasion
• Malware “creation kits” used as framework to allow custom malware creation

Question 37

Cyber Militias

Answer 37

• Group of volunteers using cyberattacks to achieve political goal
  ‐ Utilize common communications channel (E.g. internet forum, social media service)
  ‐ Do not get any monetary rewards for their services
  ‐ Members that use cyberspace resources, in legal or illegal ways, as a means of general protest or to promote an expressed ideology or a political agenda

Question 38

Cyber Hacktivists

Answer 38

• Cyber militias that can, in some sense, be seen as a cyberspace equivalent to Greenpeace activists or other groups carrying out acts civil disobedience
  ‐ The “Anonymous” collective often seen as archetype of a hacktivist actor
• Methods often used by hacktivists include web site defacements, internet resource redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins and various forms of cyber-sabotage

Question 39

Criminal Syndicates

Answer 39

• Eastern Europe and West Africa are most active cybercrime hubs
• Other areas where unemployment rates are high and salaries are low
  ‐ Usually motivated by money and power
  ‐ Previously lawful citizens with technical skills turn to cybercrime as means to escape poverty
  ‐ Potential payout is huge on global scale (estimated $114 billion)

Question 40

What can be manipulated to route traffic from one country to another?

Answer 40

Border Gateway Protocol

Question 41

Supply Chain Threat

Answer 41

• Since firmware is loaded into memory before most security applications, it is undetectable by conventional cyber defense mechanisms
  ‐ Malicious code on firmware persists through system updates/reboots

Question 42

Who has six HPC systems?

Answer 42

Russia

Question 43

Who is aggressively pursuing implementations for secure quantum communications protocols?

Answer 43

Chinese

Question 44

What needs to be included in cyber intelligence reports?

Answer 44

• Adversarial Indicators of Compromise (IOCs)
• Tactics Techniques and Procedures (TTPs)
• Recommended actions/counter attacks

Question 45

What is generated bi-weekly be the 616th Operations Center?

Answer 45

Cyber Threat Bulletin

Question 46

Report which uses insights, statistics, and case studies to show how tools and tactics of APT actors evolved since 2014 and includes global and regional threat intelligence on industry trends as well as detailed malware analyses?

Answer 46

Mandiant’s Annual Cyber Threat Report

Question 47

Worldwide team of security engineers, threat analysts, and researchers who develop a variety of content on the latest threats that impact organizations and end users?

Answer 47

• Symantec’s Annual Threat Report
• Symantec’s Monthly Threat Report
• White papers covering an array of security topics

Question 48

What government agencies make cyber reports?

Answer 48

• Department of Homeland Security
• United States Computer Emergency Readiness Team
• Department of Defense
• Federal Bureau of Investigation

Question 49

What government agencies provide reports to the public?

Answer 49

• DHS Publications
• FBI Internet Crime Complaint Center (IC3) Reports
• DHS and FBI Joint Analysis Report (JAR-16-20296A)

Question 50

What is provided by both the DHS and FBI, provides technical details regarding tools and infrastructure used by Russian civilian and military intelligence services (RIS) to exploit networks and endpoints associated with the US election and a range of US government, political, and private sector entities, referred to as Grizzly Steppe?

Answer 50

JAR-16-20296A

Question 51

Activities performed consistently on a day-to-day basis to support multiple ongoing operations?

Answer 51

Standard operations

Question 52

Activities performed in support of an operation guided by a tasking?

Answer 52

Target Operations

Question 53

What are the five phases used by adversaries?

Answer 53

• Phase 0: Administer – Intent and resource development
• Phase 1: Prepare – Reconnaissance and staging
• Phase 2: Engage – Delivery and exploitation (to include C2)
• Phase 3: Propagate – Internal reconnaissance, lateral movement, and network persistence
• Phase 4: Effect – Exfiltration and attack

Question 54

What are the two phases of Phase 0: Administer?

Answer 54

• Resource Development
• Tasking

Question 55

What is it when adversaries conduct research on target networks and/or entities of interest and set up infrastructure and capabilities used during operations?

Answer 55

Phase 1: Prepare

Question 56

What consists of adversary actions against a target to gain initial access?

Answer 56

Phase 2: Engage

Question 57

What is guaranteeing ongoing & robust access to victim and propagating & achieving maintained presence on target/network?

Answer 57

Phase 3: Propagate

Question 58

What is the manipulation, disruption, denial, degradation, or destruction of computer or communication systems called?

Answer 58

Phase 4: Effect

Question 59

What are the three primary missions in Defensive Cyberspace Operations (DCO)?

Answer 59

1. Defend networks, systems and information
2. Prepare to defend the United States and its interests against cyberattacks of significant consequence
3. Provide integrated cyber capabilities to support military operations and contingency plans

Question 60

What mission conducts ongoing network defense operations to securely operate the DoDIN, has quick response capabilities, and covers the majority of DoD’s ops in cyberspace?

Answer 60

Defend networks, systems and information

Question 61

What mission covers direction by POTUS/SECDEF to counter imminent/on-going attacks against US homeland or US interests?

Answer 61

Prepare to defend the United States and its interests against Cyberattacks of Significant Consequence?

Question 62

What mission is to ensure that the internet remains open, secure, and prosperous and conducting cyber operations to deter or defeat strategic threats in other domains?

Answer 62

Provide integrated cyber capabilities to support military operations and contingency plans

Question 63

What are the strategic goals for defensive cyberspace operations?

Answer 63

1. Build and maintain ready forces and capabilities to conduct cyber ops
2. Defend the DoDIN, secure DoD data & mitigate risks to DoD missions
3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive/destructive cyber attacks of significant consequence
4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages
5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability

Question 64

Parts of 1. Build and maintain ready forces and capabilities to conduct cyber ops?

Answer 64

a. Build the cyber workforce
b. Build technical capabilities for cyber operations
c. Validate and continually refine adaptive C2 mechanism for cyber operations
d. Establish an enterprise-wide cyber modeling and simulation capability
e. Assess Cyber Mission Force capability

Question 65

Parts of 2. Defend the DoDIN, secure DoD data & mitigate risks to DoD missions?

Answer 65

a. Build the Joint Information Environment (JIE) single security architecture
b. Assess and ensure the effectiveness of the JFHQ for DoD
c. Mitigate known vulnerabilities
d. Assess DoD’s cyber defense forces
e. Improve the effectiveness of the current DoD Computer Network Defense Service
f. Plan for network defense and resilience
g. Red team DoD’s network defenses

Question 66

Parts of 3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive/destructive cyber attacks of significant consequence?

Answer 66

a. Continue to develop intelligence and warning capabilities to anticipate threats
b. Develop and exercise capabilities to defend the nation
c. Develop innovative approaches to defending U.S. critical infrastructure
d. Develop automated information sharing tools
e. Assess DoD’s cyber deterrence posture and strategy

Question 67

Parts of 5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability?

Answer 67

a. Build partner capacity in key regions
b. Develop solutions to counter the proliferation of destructive malware
c. Work with capable international partners to plan and train for cyber operations
d. Strengthen the U.S. cyber dialogue with China to enhance strategic stability

Question 68

What are the two types of encryption?

Answer 68

Symmetric and asymmetric

Question 69

What requires both sender and receiver to know and use the same key so they can encrypt/decrypt data?

Answer 69

Symmetric encryption

Question 70

What are the types of symmetric algorithms?

Answer 70

Stream Ciphers and Block Ciphers

Question 71

What are some of the features of stream ciphers?

Answer 71

• Encrypts bits of data 1 bit/byte at a time
• Faster and smaller to implement than block ciphers
• Most common = Rivest Cipher 4 (RC4)

Question 72

What are some of the features of block ciphers?

Answer 72

• Encrypts info by breaking it down into blocks and encrypting data in each block
• Encrypts data in fixed sized blocks (commonly of 64 bits)
• Most common = Triple Data Encryption Standard (3DES) & Advanced Encryption Standard (AES)

Question 73

What are some popular hash functions?

Answer 73

• Message Digest 5 (MD5)
• Secure Hash Function (SHA)

Question 74

What are some applications of hash functions?

Answer 74

• Password storage protection
• Data integrity checks
• Data file checksums (Provides assurance of data’s integrity)

Question 75

What are the goals of cryptography?

Answer 75

CIA and non-repudiation

Question 76

What are computing environments under the control of a single authority and have personnel and physical security measures?

Answer 76

Secure enclaves

Question 77

What is used within an organization performing a single function with multiple managed elements operating under the same security policy with the primary roles of providing services to internal users and providing very limited or no publicly accessible resources or services?

Answer 77

General Business LAN enclave

Question 78

What is a single site location performing management of multiple network enclave elements that may be based outside of General Business LAN enclave boundaries?

Answer 78

Network Operations Center

Question 79

What are the purposes of the many NOC enclaves within the DoD?

Answer 79

• Manage and monitor different networks
• Provide geographic redundancy in case one site is unavailable or offline

Question 80

CPCON 5

Answer 80

‐ DoD Risk Level: Very Low
‐ Priority Focus: All Functions
‐ Routine network ops (DoDIN Ops)
‐ Normal readiness
‐ Admins create snapshot of systems/network (known good “Baseline”)
‐ No impact to end-users

Question 81

CPCON 4

Answer 81

‐ DoD Risk Level: Low
‐ Priority Focus: All Functions
‐ Increases DoDIN in preparation for exercises
‐ User profiles reviewed for dormant accounts
‐ Increased frequency of validation process
● E.g. checking system/information/network/configs against known good baseline
‐ Confirm state of network as good (unaltered) or bad (compromised)
‐ Limited impact to users

Question 82

CPCON 3

Answer 82

‐ DoD Risk Level: Medium
‐ Priority Focus: Critical, Essential, and Support Functions
‐ Further increase in frequency of validation processes
‐ Minor impact to end-users

Question 83

CPCON 2

Answer 83

‐ DoD Risk Level: High
‐ Priority Focus: Critical, and Essential Functions
‐ Higher frequency validation of validation process
‐ Preplanning personnel training & pre-positioning of system rebuilding utilities
● Use of “hot spare” equipment = reduced rebuild time
‐ Significant impact to users for short periods

Question 84

CPCON 1

Answer 84

‐ DoD Risk Level: Very High
‐ Priority Focus: Critical Functions
‐ Highest readiness condition
‐ Significant impact to end-users for short periods

Question 85

Mission Assurance Category (MAC) III

Answer 85

● Requires best practice protective measures
● Requires basic integrity and basic availability of info systems
● Info systems handle info necessary for day-to-day business
‐ Info systems do not provide short-term support deployed/contingency forces

Question 86

Mission Assurance Category (MAC) II

Answer 86

● Requires additional safeguards beyond best practices to ensure adequate assurance
● Requires high integrity and medium availability of info systems
● Info systems handle info important to the support of deployed and contingency forces

Question 87

Mission Assurance Category (MAC) I

Answer 87

● Most stringent protection measures
● Requires high integrity & high availability
● Info systems handle info vital to operational readiness, mission effectiveness, & support of deployed and contingency forces

Question 88

What is one of the most complex areas of designing, implementing and managing a network?

Answer 88

Connecting to external networks

Question 89

What are the requirements for enclave external connections?

Answer 89

‐ Every site must have security policy to address filtering of traffic to and from those connections
‐ SIPRNet connections must comply with the documentation required by the SIPRNet Connection Approval Office (SCAO)
‐ Prior to connecting with another activity, establish Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) between the two sites

Question 90

What provides non-product specific requirements to mitigate sources of security vulnerabilities consistently and commonly encountered across IT systems and applications?

Answer 90

DISAs Security Requirement Guides (SRGs)

Question 91

What is published by DISA and provides product-specific information for validating, attaining, and continuously maintaining compliance with requirements defined in the SRG for that product’s technology area, meeting minimum requirements and additional documents?

Answer 91

STIGs

Question 92

What evaluates an organization’s compliance with DoD security orders and directives by assessing network vulnerabilities, physical and traditional security, and user education and awareness?

Answer 92

Command Cyber Operational Readiness Inspections (CCORI)

Question 93

What seeks to provide a more threat focused, mission-based assessment?

Answer 93

CCORI

Question 94

A CCORI analyzes what levels of effort to review operational risk?

Answer 94

• Mission
• Threat
• Vulnerabilities

Question 95

CCORI mission analysis is phased into the what phases of the operations order?

Answer 95

• Site selection
• Scoping/pre-inspection
• Inspection
• Post-inspection

Question 96

What is required by all enclaves connecting to the DISN and initiated in parallel with request fulfillment process for new/additional connections?

Answer 96

Assessment and Authorization (A&A) process

Question 97

What are the components of a vulnerability assessment?

Answer 97

• Scanning engine
• Vulnerability database

Question 98

What vulnerabilities are included in a vulnerability assessment?

Answer 98

• Outdated components
• Misconfiguration issues

Question 99

A vulnerability scan may be required to ensure compliance with what standards?

Answer 99

• PCI (Payment Card Industry)
• FISMA (Federal Information Security Management Act)
• HIPAA (Health Insurance Portability & Accountability)

Question 100

What is used to protect networks and computing devices, can be a hardware device or software, can control inbound & outbound internet traffic, and supports Network Address Translation (NAT)?

Answer 100

Firewalls

Question 101

What are the two rules that define general firewall security stances?

Answer 101

Default deny and default allow

Question 102

What are the main elements or components of firewall rules?

Answer 102

1. Base protocol
2. Source address
3. Source port
4. Target address
5. Target port
6. Action

Question 103

What are the basic rule guidelines for firewalls?

Answer 103

● Keep the rule set as simple as possible
● Document every rule
● Use a change control mechanism to track rule modifications.
● Always confirm the default deny before using changed/updated rule sets

Question 104

What are the functions NIDS operate in?

Answer 104

• Signature detection (passively examines network traffic)
• Anomaly detection (checks compliance w/ various protocol standards
• Hybrid

Question 105

What is designed to go one step further and actually try to prevent the attack from succeeding, typically achieved by inserting the NIPS device inline with the traffic?

Answer 105

Network-based IPS (NIPS)

Question 106

What takes advantage of being installed on the system to protect by monitoring and analyzing what other processes on the system are doing at a very detailed level and can analyze encrypted traffic and the decryption process has occured?

Answer 106

Host-based IPS (HIPS)

Question 107

What are focused on gaining intelligence information about attackers and their technologies and methods?

Answer 107

Research honeypots

Question 108

What are aimed at decreasing the risk to company IT resources and providing advanced warning about the incoming attacks on the network infrastructure?

Answer 108

Production honeypots

Question 109

What is the best tool for examining hacker activity?

Answer 109

Honeypots

Question 110

What are the honeypot components?

Answer 110

● Network device hardware
● Monitoring/logging tools
● Management workstation
● Alerting mechanism
● Keystroke logger
● Packet analyzer
● Forensic tools

Question 111

What are the steps in the cyber incident handling process and life cycle?

Answer 111

● Detection of Events
● Preliminary Analysis and Identification
● Preliminary Response Action
● Incident Analysis
● Response and Recover
● Post-Incident response

Question 112

What lists known cyber vulnerabilities?

Answer 112

The National Vulnerability Database (NVD)

Question 113

What are the steps of the preliminary response action phase?

Answer 113

1. Preventing a reportable cyber event or incident from causing further damage
2. Maintaining control of the affected IS(s) and the surrounding environment
3. Ensuring forensically sound acquisition of data necessary
4. Maintaining and updating the incident report and actively communicating updates through the appropriate technical & operational command channels

Question 114

What are the steps of the response and recovery phase?

Answer 114

1. Mitigating the risk or threat
2. Restoring the integrity of the IS and returning it to an operational state.
3. Implementing proactive and reactive defensive and protective measures to prevent similar incidents from occurring in the future

Question 115

What are the parts of the post-incident response phase?

Answer 115

‐ Lessons learned
‐ Initial root cause
‐ Problems with executing mission
‐ Missing policies and procedures
‐ Inadequate infrastructure defenses
‐ After Action Report

Question 116

CAT 0

Answer 116

Training and exercise

Question 117

CAT 1

Answer 117

Root level intrusion (incident)

Question 118

CAT 2

Answer 118

User level intrusion (incident)

Question 119

CAT 3

Answer 119

Unsuccessful activity attempt (event)

Question 120

CAT 4

Answer 120

Denial of service (incident)

Question 121

CAT 5

Answer 121

Non-compliance activity (event)

Question 122

CAT 6

Answer 122

Reconnaissance (event)

Question 123

CAT 7

Answer 123

Malicious logic (incident)

Question 124

CAT 8

Answer 124

Investigating (event)

Question 125

CAT 9

Answer 125

Explained anomaly (event)

Question 126

What are the phases of the forensics process?

Answer 126

• Collection
• Examination
• Analysis
• Reporting

Question 127

What provides organizations a starting point for developing a forensic capability, in conjunction with extensive guidance provided by legal advisors, law enforcement officials, and management?

Answer 127

NIST 800-86

Question 128

What is the gathering and reviewing of all information from or about the affected IS(s) to further incident analysis and understand the full scope of the incident?

Answer 128

System analysis

Question 129

What is a suite of computer forensics software, commonly used by law enforcement, is the de-facto standard in forensics, and is made to collect data from a computer in a forensically sound manner?

Answer 129

EnCase

Question 130

What is an easy-to-use file viewer that recognizes nearly 300 types of files and works with media images created by several imaging utilities?

Answer 130

Forensic Toolkit (FTK)

Question 131

What is a popular, free, open source forensic software suite for Linux, is a collection of command-line tools that provides media management and forensic analysis functionality, and supports MAC partitions and analyzes files from MAC systems?

Answer 131

The Sleuth Kit (TSK)

Question 132

What is a Linux forensic tool used by law enforcement, government agencies, military, intelligence and private investigators?

Answer 132

SMART

Question 133

What is the process of analyzing and capturing the capabilities of software artifacts suspected of being malicious code?

Answer 133

Malware analysis

Question 134

What are individuals analyzing or otherwise handling malware expected to do?

Answer 134

• Handle with care
• Catalog all software artifacts
• Perform analysis in an isolated environment

Question 135

What involves quick checks to characterize the sample within the context of the analysis missions with techniques including file type identification, string extraction, public source analysis, and comparative analysis with previously analyzed artifacts?

Answer 135

Malware analysis (surface analysis)

Question 136

What is some potential information gained from malware analysis (surface analysis)?

Answer 136

‐ Identification of strings in binary files
‐ Hashes
‐ Antivirus software detection status
‐ File sizes
‐ File type identification
‐ File attribute information

Question 137

What is controlled execution of the malware sample in an isolated environment instrumented to monitor, observe, and record run-time behavior?

Answer 137

Malware analysis (run-time)

Question 138

What is some potential information to be gained from malware analysis (run-time)?

Answer 138

‐ Network touch points (addresses, protocols, ports, etc.)
‐ File system and registry activity
‐ Vulnerabilities or weaknesses in particular run-time environments
‐ System service daemon interactions
‐ Success of remediation techniques in particular run-time environments
‐ Suggestions of adversarial intent

Question 139

What focuses on examining and interpreting the contents of a malware sample?

Answer 139

Malware analysis (static)

Question 140

What is the first formal study in the requirements process?

Answer 140

Capabilities Based Assessment (CBA)

Question 141

What does the CBA consist of?

Answer 141

• Defining the capabilities required
• Gap analysis

Question 142

If the CBA recommends a material solution, what is the next step in the requirements process?

Answer 142

Initial capabilities document (ICD)

Question 143

What is an analytical comparison of the operational effectiveness, suitability, risk, and life cycle cost of alternatives that satisfy validated capability needs?

Answer 143

Analysis of Alternatives (AoA)

Question 144

What describes the increment and provides an outline of the overall acquisition program strategy?

Answer 144

Capability Development Document (CDD)

Question 145

What outlines an affordable increment(s) of militarily useful, logistically supportable, and technically mature capabilities that is ready for production?

Answer 145

Capability Production Document (CPD)

Question 146

What is a dynamic, agile, risk-management-based problem-solving approach, balancing critical operational cyber mission needs against other organizational resource requirements and priorities?

Answer 146

Real-time Operations and Innovation (RTO&I)

Question 147

What are the RTO&I project types?

Answer 147

• Type 1: Immediate needs
• Type 2: Known short-term future needs

Question 148

What identifies service specific needs during a current conflict or crisis situation that if not satisfied in an expedited manner, will result in unacceptable loss of life or critical mission failure, and has the goal of delivering fielded capabilities within 180 days of a validated request?

Answer 148

Urgent Operational Needs (UONs)

Question 149

What is an urgent need identified by a warfighting commander that requires synchronization across multiple Service/agency providers to ensure complete and timely combat capability is provided to the Joint warfighter?

Answer 149

Joint Urgent Ops/Joint Emergent Op Needs (JUON/JEONs)

Question 150

What has the purpose of ensuring DoD acquires systems that work and meet specified requirements and provides knowledge of system design, capabilities, and limitations to the acquisition community to improve a system?

Answer 150

Capabilities-based test & evaluation (T&E)

Question 151

What are the types of T&E?

Answer 151

• Developmental testing
• Operational testing
• Cyber test

Question 152

What are the steps in developmental testing?

Answer 152

1. Identifies and helps resolve deficiencies and vulnerabilities as early as possible.
2. Verifies compliance with specifications, standards, and contracts.
3. Characterizes system performance and military utility.
4. Assesses quality and reliability of systems.
5. Determines fielded system performance against changing operational requirements and threats.

Question 153

Operational Testing

Answer 153

• Determines the operational effectiveness and suitability of the systems under test
  ‐ Determines if operational capability requirements have been satisfied and assesses system impacts to both peacetime and combat operations
  ‐ Identifies and helps resolve deficiencies as early as possible, identifies enhancements, and evaluates changes in system configurations that alter system performance

Question 154

Cyber Testing

Answer 154

‐ Evaluates and characterizes systems and sub-systems operating in the cyberspace domain, and the access pathways of such systems
‐ Focuses on identifying system cyber vulnerabilities. It is scoped through assessing a system’s cyber boundary and risk to mission assurance. Risk analysis, at a minimum, should consider the threat and threat severity, the likelihood of discovery, likelihood of attack, and system impact

Question 155

What is the only method of analysis that can produce a definitive or complete understanding of a malware sample?

Answer 155

Reverse engineering

Question 156

What is potential information gained by reverse engineering?

Answer 156

1. Manual unpacking of packing executable files
2. Understanding of obfuscation or encryption techniques
3. Definitive understanding of malware capabilities
4. Characterization of malware sophistication
5. Comparison of capabilities across malware samples
6. Understanding algorithms used